A Cyberattack is a Street Fight

Cyberattacks must be viewed as large-scale business operations crises.

A successful cyberattack can shut down operations – not just for a few hours, but for days and weeks. The collateral damage, such as information leaks, reputational damage and so on, can continue for much longer.

Organizations realize that more cyberattacks are to be expected in the future, and that they will grow in scale and sophistication over time. Organizations rarely know that their IT environments have been breached until it is too late. At that point, an organization could have much of its IT infrastructure infected with malware, be subject to ransom demands for its data or other such destructive attacks that result in compromised or lost data.

In the time between the initial breach and detection, the hacker team is likely to have compromised many systems and applications, systematically worked to elevate its privileges in the environment and compromised, destroyed or encrypted data.

To ensure effective enterprise-wide risk containment, cybersecurity and business continuity management (BCM) leaders must align their processes. This requires two distinct phases – a planning phase that identifies the best practices to apply before you experience a cyberattack, and a response and recovery phase that identifies the best practices that apply once you are in crisis model.

Even organizations that do have a cyberincident plan sometimes assume that an incident is an orderly affair, following a well-defined procedural pathway. Authors of these plans often assume that the attacker will have one mode of attack, that the incident will be a relatively simple, and brief affair, and be similar to a typical technology failure.

The reality is different. A cyberattack is a street fight. You are not dealing with a technology failure, although a manufactured technology failure might be one of the methods used against your enterprise. Rather, a motivated individual or group of individuals that have decided to target the organization have left your business with a messy, chaotic and long-term event.

Cyberattacks must be viewed as large-scale business operations crises and, therefore, must be handled from an enterprise continuity of operations perspective. Integrating established BCM best practices into the existing computer security incident response process can boost the organization’s ability to control the damage of a cyberattack, speed up the efforts to get back to normal operations and, therefore, reduce some of the financial impact of the cyberattack. For example:

#Business impact analysis (BIA) can quickly identify if impacted IT services, operating locations, and partners/suppliers/third parties are mission-critical to the organization.#Crisis communications processes and automation set up for traditional BCM disruptions can be leveraged for a cyberattack.#Business recovery and resumption plans can be used if IT services are shut down by the cyberattack and while waiting for cleansed IT services to become operational.#IT disaster recovery (DR) procedures can be used to restart systems and restore data in the right sequence.#Crisis management automation can be used to manage the organization’s overall response and recovery from a cyberattack.

The BCM and computer security incident response team (CSIRT) alignment ensures that there is collaboration through proactive team development and cross-team representation throughout the organization. It also means that both disciplines are involved in all phases of the incident cycle – planning, budgeting, strategy development, exercising, event response, program management and governance.

DISCLAIMER: The views expressed are solely of the author and ETCIO.com does not necessarily subscribe to it. ETCIO.com shall not be responsible for any damage caused to any person/organisation directly or indirectly.